Protecting Critical Infrastructure in the Age of IoT

Keeping up with advances in technology is like being a hamster on a wheel: the race never ends. But that drive is ultimately what yields innovative advances in IT – for both hackers and cyber professionals alike.

We need to understand that we cannot control this evolution – neither its speed nor progress – but we can implement standards and best practices for a unified, fortified front against cyber adversaries. With the advent and rapid growth of the Internet of Things (IoT), it’s critical to reevaluate such standards and practices to protect our critical infrastructure from the additional threats introduced by IoT devices.

Here are a few recommendations that both government and industry should consider to combat cyber adversaries and protect critical infrastructure, including networks, systems and data, without barring the benefits and use of new technology on their networks.

1. The government needs to provide clear guidance for critical infrastructure and IoT

IoT devices are one of the main advances in recent years that have changed the cyber terrain, and although there have been more IoT devices than humans since 2008, guidance or policy to govern the use of these devices is lacking.

The federal government should implement critical infrastructure and IoT legislation, mandate adherence to security guidelines (such as those issued by NIST), collaborate with the private sector to extract expertise from the true source, collaborate with other government agencies to develop a single cyber process (e.g., DISA, DoD 8510, CNSSI 1253) to uniformly categorize high impact and critical infrastructure, and fund programs that will make availability a priority (e.g., Disaster Recovery (DR), Continuity of Operations (COOP)).

Policy shouldn’t be developed to ban IoT devices; however, it should be designed with IoT in mind to define and secure critical infrastructure. The legislation recently introduced by Senators Mark Warner (D-VA) and Cory Gardner (R-CO), the “Internet of Things Cybersecurity Improvement Act of 2017,” is a good first step toward national IoT security policy.

By requiring that any IoT devices sold to the U.S. government be patchable, be free of known security vulnerabilities, and allow users to change default passwords, the bill takes some basic, common sense steps toward IoT security and should become law.

2. Assign responsibility

Until definitive regulations for securing IoT devices are implemented, the onus of securing and monitoring is on the organizations that use IoT devices. Organizations should develop their own IoT policy to govern the use of these devices, assign responsibility for monitoring the devices to the IT and cybersecurity department, and hold the users of the devices accountable for any improper usage of IoT devices outside the organization’s guidelines.

In many cases, there are already IoT devices on networks, whether the organizations realize it or not. Organizations can use scanning tools like HBSS and SCOM to identify IoT devices and either disconnect them or require a justification for their use. For IoT devices connected via WiFi, organizations may need to either create or change the WiFi password, then develop a process to grant password permissions.

Alternatively, if a majority of users are employing IoT devices, or if halting IoT use would limit productivity or affect the mission, it may be best to establish a separate network solely for IoT devices. Regardless of the solution, it will be costly and take time to implement. That’s why it’s best to establish policy before allowing any IoT devices on the network and ensure that policy not only regulates the devices but also how the data used by those devices is processed and stored.

Once the organization has decided how to handle the devices already on the network, it needs to develop an approval process for additional devices that provides a justification and proof of significant benefit to the organization. If the device is justified, the organization needs to determine if the IoT device is secure and, if not, determine how they can make it secure.

Third, the organization needs to establish rules for using the device (e.g., only connect the device to corporate Wi-Fi or a dedicated IoT network) and establish consequences for breaking those rules.

3. Collaborate to improve security

Now that the Cybersecurity Information Sharing Act (CISA) is law, offering protections to encourage companies voluntarily to share information with the public and private sectors, information sharing efforts have finally begun to advance.

Several public-private working groups sponsored by the Department of Homeland Security (DHS) are tackling the tough issues of what kind of information should be shared and, even more difficult, precisely how it should be shared. Other public-private partnerships in cybersecurity are also proving beneficial.

For example, the IT Sector Coordinating Council (IT SCC) brings together companies, associations, and other key IT sector participants to work collaboratively with DHS, government agencies, and other industry partners. Through this collaboration, the IT SCC works to facilitate a secure, resilient and protected global information infrastructure.

The NIST Cybersecurity Framework, intended to help secure critical infrastructure, is another excellent example of collaboration yielding tangible results. The public-private partnership model is an excellent one for cybersecurity and should be effective for IoT security as well.

4. An organization is only as secure as its weakest link – people

Even if an organization banishes IoT devices and implements best practices to defend its critical infrastructure, it still only takes one click to enter the network. One phishing email to the email address of a curious user and the entire network is suddenly at risk.

Organizations should educate and train users and follow up regularly to measure the effectiveness of training programs and determine how to improve them. Regardless of the technical security of a network, the human factor of IT will always introduce opportunities for cyber adversaries to attack.

Be thoughtful and purposeful when defining the organization’s critical infrastructure; regularly re-investigate and re-evaluate what’s connected to systems and allowed to access the organization’s networks and data. Every internet-enabled device – a thermostat, a camera, a sensor, or other devices – has the potential to become a portal to the most critical data.

Policy, whether developed by the government, industry, or an individual organization, should govern the use of IoT devices on an organization’s own critical infrastructure, and that policy must be enforced and also reevaluated as technology continues to evolve.

These recommendations will help organizations maintain a secure state; however, maximum security is only possible through regulation enforced by policy. While some lawmakers might argue that laws and regulations may stifle the growth of IoT’s economic contributions, growth without security could have a devastating impact on the economy. Therefore, it is critical that the government develop and implement policy to define and govern both critical infrastructure and IoT.

IoT is advancing exponentially, and with advances occurring so rapidly, potential uses and benefits are beyond the reach of speculation. McKinsey Global reports an expected IoT economic impact of $3.9 trillion to $11.1 trillion a year by 2025. And according to Cisco, IoT has the potential to grow global corporate profits by 21 percent in 2022.

Conversely, more devices mean more potential entry points into networks and more opportunities for cyber adversaries to increase their profits as well. The entire definition of critical infrastructure must be reconsidered, and the benefit of IoT devices must be balanced against the increased risk of cyberattack they introduce.

About the Author:Colby Proffitt is a Senior Analyst for NetCentrics Corporation, a leading provider of cybersecurity and IT Services for the federal government.

Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.